/resolvconf-admin

setuid helper program for setting up the local DNS

Primary LanguageCMIT LicenseMIT

resolvconf-admin

resolvconf-admin is a setuid helper program for tools that need to be able to set up the local DNS resolver configuration.

This program deals with setting the local DNS resolver configuration (i.e. /etc/resolv.conf), which needs to be done as root on some systems. One example use case is to run a DHCP client without giving that DHCP client full superuser privileges.

Theory of Operation

If /sbin/resolvconf is present and executable, it is invoked as root with the specified configuration. If /sbin/resolvconf is not present (or is present but not executable), then /etc/resolv.conf is updated directly.

WARNING!!!

A better approach for setting up the DNS in a non-privileged way is to make an authenticated IPC call to some running daemon that already manages /etc/resolv.conf. However, some systems do not run such a daemon, so we offer this setuid approach instead, for those limited systems only.

This setuid program should not be installed on systems that already run such a daemon, because every setuid program increases the attack surface of the operating system.

DO NOT INSTALL THIS TOOL IF YOU HAVE BETTER OPTIONS AVAILABLE TO YOU!

Installation

It should probably be installed as /usr/bin/resolvconf-admin something like this:

getent group resolvconf-admins >/dev/null || addgroup --system resolvconf-admins
chown root:resolvconf-admins /usr/bin/resolvconf-admin
chmod 4754 /usr/bin/resolvconf-admin

and then make sure the user that you care about has access, by adding them to this group:

adduser my-nonpriv-dhcp-daemon resolvconf-admins

Usage

When the non-privileged user wants to set local DNS resolvers due to information it learned from interface NETIF, it should invoke:

resolvconf-admin add NETIF [-s SEARCH] [-d DOMAIN] NAMESERVER [...]

Note that DNS search path and domain name are optional. However, at least one nameserver is required.

When the non-privileged user wants to tear down the DNS resolver information that it had previously set for interface NETIF, it should invoke:

resolvconf-admin del NETIF